Does serverScan.py issue SS06 make sense in a federated deployment?

1226
4
07-09-2020 06:09 AM
by Anonymous User
Not applicable

When running serverScan.py against ArcGIS Server in a federated environment, issue ID SS06 is raised for each service in the System folder. For context, here is the text of one of the issues:

IdSeverityProperty TestedScan Results
SS06CriticalSystem/CachingControllers service permissionsOpen to roles: esriAuthenticated
Non-default permissions are applied to this service within the System folder in Server Manager. To ensure only administrators and publishers have access to the service in the System folder, no roles should be assigned to the service. More information

It seems that the role esriAuthenticated refers to users that have been authenticated by Portal in the federated ArcGIS Enterprise deployment. So, does this error even make sense in this context?

0 Kudos
4 Replies
RandallWilliams
Esri Regular Contributor

I don't see this in my reports in my federated environment, but makes sense to me. There's a difference between authenticated and authorized. Not every user that is authenticated should be authorized to this resource. Only publishers or higher should have rights to caching controllers. Otherwise an unauthorized user could potentially kick off a caching job on a service and cause resource consumption issues or fill up your disk with tiles.

0 Kudos
ChristopherPawlyszyn
Esri Contributor

To add to what Randall mentioned, when taking a look at the permissions in Server Admin I am not seeing any allowedPrincipals for the System services. If that is different on your deployment, then it is likely the reason for the alert. Can you verify whether this was a fresh install or upgrade, and what versions were/are involved? This may be better handled within a support case since the behavior looks to be site-specific.


-- Chris Pawlyszyn
0 Kudos
StefanUseldinger
Occasional Contributor II

I am also receiving the security warning SS06 and when I look at the permissions, there is "Allowed Principals"="Administrators". So how can handle the message SS06? When I want to updating the sharing of the service, it says "This default service has not yet been configured for sharing with Portal. Click Update Sharing to enable this.". When I click "Update sharing", nothing changes in the GUI although I see "status: success" in the response of the POST request /arcgis/admin/services/System/CachingControllers.GPServer/edit. Any idea?

0 Kudos
RandallWilliams
Esri Regular Contributor

Why do you want to update the sharing permissions on the caching controllers in the first place?

0 Kudos